Most security software defends PCs and websites by acting like a locked door to shut hackers out. A new security company, Mykonos Software, instead invites hackers in through a fake entrance and plays tricks on them until they give up.
“If you break in, I want to have fun with you,” says David Koretz, CEO of Mykonos. Koretz claims that the computer security industry is too timid—he advocates making hackers’ lives tedious and difficult instead.
Mykonos sells software intended to protect websites against attacks—like those on Sony’s websites last year that yielded thousands of credit-card numbers—aimed at gaining access to valuable data such as user credentials. When Mykonos’s software identifies an attacker, it tries to waste the hacker’s time by offering false data such as phony software vulnerabilities and fake passwords. This week, the 19-person company announced it had received $4 million in investments from a number of Web and technology company leaders, including Jeff Clark, the chairman of Orbitz.
The company’s software is aimed primarily at hackers who use automated tools that identify and exploit vulnerabilities in websites, says Koretz. Such tools allow even relatively unskilled hackers, sometimes dubbed “script kiddies,” to cause considerable damage.
Wasting assailants’ time “changes the economics” of attacking websites, says Koretz. “At the end of the day, there are a finite number of hackers, and if you break all of the automation, it becomes something only some people can do,” he says. “It’s a step towards making it more like bank robbery, a manageable problem.”
Mykonos software first needs to accurately identify attackers, to avoid breaking a site for legitimate users. The company’s software does that by using small snippets of code injected into Web pages, forms, and other data sent out to a computer accessing the site. The snippets are placed so that they will be altered by the most common methods used to probe for security vulnerabilities. When these snippets are altered, Mykonos’s software automatically notes the IP address of the potential attacker.
If an attacker is using a Web browser to probe a site, a small, tough-to-delete tracking file known as a “supercookie” is injected into it. If nonbrowser software is being used, the characteristics of the attacker’s computer are “fingerprinted.” When the same computer returns, the defense software knows and can respond appropriately.